Google Fonts the GDPR and a Lawyer GDPR USA SaaS EU Privacy Shield Google Analytics Google Fonts CDN

It has been a while since the
issued the
(General Dara Protection Regulation). Since then, it has gotten way more complicated for web devs to work on websites because there are so many things you have to think about.

Since it is an EU-only regulation, a special agreement was filled with non-EU countries to continue their services called
Privacy Shield
. But that shield was broken a while back, and many websites were forced to discontinue using
(or other counties) third-party

For example, it isn't allowed to use
Google Analytics
anymore because that is processed by Alphabet and could "leak" out of the EU. Starting a few weeks back, a Lawyer from Lower Austria sent out warning notices with a fee of 190€ to businesses integrating
Google Fonts
. If you think about the web dev space, integrating Fonts (and Frameworks) via CDNs was typical work.

Well, in Munich, a court decided that using Google Fonts (via
) isn't in line with the GDPR, and IP addresses are transmitted to Google (without the users' consent). Somehow they also ruled that the IP Address is part of a person's "private" data. This, in my opinion, is complete bullshit as only companies get fixed IP addresses and an individual person probably gets a new one every day.

Of course, some of my freelance customers had Google Fonts integrated and got a letter (luckily, only two so far). I spent yesterday evening checking on my customers and seeing which ones used them.

But now comes the interesting part, it seems like the lawyer used an automated way to check if a website used Google Fonts and sent the warning notice to thousands of companies and even "normal" people only owning a simple website on or a personal blog. The GDPR demands that harm needs to have happened to allow a lawsuit. Well, who was harmed if a lawyer actively searches for "malicious" pages?

As it is with the internet, people started organizing themselves, and happened. Now the "classic" media got a hold on the topic, and suddenly also, political figures (Austrian Federal Economic Chamber) checked if there was damage done to companies in Austria because of that mass sending.

Today I read that the Lawyer won't send out any new notices, but the old ones are still "valid". I wonder if that "hole" he found in the GDPR (as there is no supreme court judgement in Austria yet) will backfire on him.

Sure, the GDPR was an essential step in privacy in Europe, but sometimes such action made me question my career decisions. At least, I will mostly do backend work at my new employer, which means such issues probably won't touch me. Still, it ruined my evening yesterday.
But that shield was broken a while back, and many websites were forced to discontinue using
(or other counties) third-party

This is unbelievable. I can't even imagine all the EU devs discontinuing their usage of things liike 
2022-08-25 00:56:53
It truly is. No fancy SaaS or risking a sue. The fines are also pretty high, with a lower limit of 10 to 20 million € or 5 per cent of the company's global revenue. (There seems to be a fine tracker:
2022-08-25 09:39:45